On critical systems it is usually considered a bad practice to allow direct remote logins to system users, such as root or other application owners, and shared users, such as oracle
. As a method for better control and from the user audit point of view, it is recommended to create different login users that will be allowed to connect and perform switches (su
) to users considered critical. No other users should be exposed to the external world to allow direct, remote, or local connections.
In this recipe, we will create a group log and a user named loguser1
, and we will disable direct logins for all others.
[root@nodeorcl1 ~]# groupadd logingrp
logingrp
group as follows:[root@nodeorcl1 ~]# useradd -g logingrp loginuser1
/etc/pam.d/system-auth
:account required pam_access.so
/etc/security/access.conf
::ALL EXCEPT logingrp :ALL
logingrp
group will be denied. If we try to connect from nodeorcl5
the connection will be closed:[loguser1@nodeorcl5 ~]$ ssh -l oracle nodeorcl1 oracle@nodeorcl1's password: Connection closed by 10.241.132.218 [loguser1@nodeorcl5 ~]$
loginuser1
:[loguser1@nodeorcl5 ~]$ ssh -l loginuser1 nodeorcl1 loguser1@nodeorcl1's password: [loguser1@nodeorcl1 ~]$
su
capabilities for all users exempting loginuser1
, open /etc/pam.d/su
and uncomment the following line as instructed in the file:# Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid
wheel
group are not allowed to switch to an other user. Add loginuser1
to the wheel
group as follows. In this way the only user that may execute su
command will be loginuser1
:[root@nodeorcl1 etc]# usermod -G wheel loginuser1
su
command with the oracle
user, you will get incorrect password
message, and the switch cannot be performed:[oracle@nodeorcl1 ~]$ su - Password: su: incorrect password [oracle@nodeorcl1 ~]$
loguser1
it succeeds:[loguser1@nodeorcl1 ~]$ su - Password: [root@nodeorcl1 ~]#
52.14.172.93